First off we need to take a hash dump:

Now of course you can do the same using SQL Injection etc (WHY when you have SQLi already? duh privilege escalation!) , I’m going to cover this from the perspective that you are the administrator looking to strengthen your security …

Now you have your hashdump you need a hash table with the equivelent passwords within it, for this you will need 2 things

1. A dictionary file
2. https://github.com/Oneiroi/PenTesting/blob/master/crypto/generators/mysql/csv_gen.py

The python script above I wrote to use multiprocessing to map words onto the hash function, and I have had it grind through mySQL hashes at a rate of ~98k per second, there is no “lookup” script at this time though one is currently being written.

once this has ground through your wordlist you will have a CSV file, which will be in the format , the script defaults to the new PASSWORD() function, if you are using old_password=1 in your configuration then pass the -l flag to use legacy hashing instead.

ok let’s assume the following fictional scenario

1. old_passwords is in use, and we want chip’s password
2. 077b91e3491e2fdd chip
3.

4. Chip has a password that is just he letter “a” which he will tell you is the best password ever …

And that’s about a simple as it gets you generate a set of hashes and you compare known hashes to your generate set to see if you can discern simple passwords, hopefully going on then to chastise the user and instructing them on proper password etiquette, there are more complicated methods of getting the password from the hash, in the case of old_passwords I believe it is possible to reverse the hash to get the original string for one (so don’t use old_passwords!)

If you go on to use my python scripts, please let me know how they perform, my test were carried out using an intel i5, I’d love to know how they perform on other CPUs.

Tweet

Right so you have hidden your versions via The Hooded Apache so what now?

Well no matter what you do if your url’s contain .php / .asp / .cfm (Frankly if you are using coldfusion you deserve what you get … just saying …)

You are disclosing what your webapp is using as it’s server side language, now to be clear this hiding is only going to be effective if you are using a bespoke webapp, and not say Joomla / WordPress as they are easily identifiable via other means (for another post) …

mod_rewrite

Learn this, I mean seriously not only can it help cloak your server side language but you can do so using SEO urls.

BUT be careful if you think you’re being cleaver by having mod_rewrite change the extension alone …

it will be easy to enumerate the back end language this way … the first 404 that an attacker gets when enumerating your file names will reveal this rule i.e.

“The file /asfasdgasdg.php was not found on this server” … yeh …

Change the extension entirely

Security through obscurity? you bet your ass, just add your new extension onto your AddType declaration, because you are already avoiding the dual extension vulnerability right?

how about .wtf

Now just name your files .wtf instead of .php

So your using subversion good for you! you can use subversion as part of PCI 11.5 (iirc) to enforce file integrity assuming of course you have your subversion deploy setup securely just one tiny problem …

Seemingly innocent right? oh how wrong you are …

1. http://domain.com we know the version control server location, we can attack that later
2. http:// is not an encrypted protocol, easy to sniff for if you get access to the server / company lan
3. joe.blogs we have a known username we can attempt to access using dictionary / brute force / social engineering
4. http:// the server could be vulnerable to CVE-2011-1921
5. we know that config.php exists we can target that later for other crednetials

So assuming a worst case scenario,

1. Webapp is compromised and we managed to deploy a remote shell
2. Sniffing for http:// hiding silently in the background we find a site update / commit, and snag joe.blogs user credentials
3. Exploiting CVE-2011-1921 we enumerate all projects on the svn server (If we even have to … joe.blogs could have access to everything anyway …)
4. Inject backdoors into all projects committing changes as joe.blogs
5. Wait for co de to be deployed to production …
6. And now you have backdoors into multiple projects

You can prevent this by …

Or using mod_security

Ensure you use an ENCRYPTED protocol for your version control https:// / ssh+svn:// for example with subversion.

Tweet

You will get

As an attacker looking to hit a web app, one of the first things you’re going to want to look into is what version of web server is running, in this case you can see this blog in fact runs apache … but there is not much else to go on here is there.

That’s intentional, and by manual configuration changes I have put in place, this is not the case of a default LAMP install, take for instance, this snippet from another website,

This already has given me a wealth of information to go on and begin prepping an attack, I now know the site is running php version 5.2.14 Apache version 2.2.16 and that the underlying OS is Debian.

See the dilemma? your default roll outs are just declaring their running versions to anyone willing to listen, so lets make it a little more stealthy.

First and foremost if you are using php, edit your php.ini and set the following:

Now head into your httpd.conf and set the following

and

With these 3 simple steps all the headers will now return is Server: Apache this is the first step to shielding your app, I’ll be covering further steps as time allows.

Tweet

This error indicates that the user and/or the group specified in the config does not exist, this can happen if you have typed in either incorrectly, and/or the user has been removed from the system (see /etc/passwd).Tweet

All the accounts were registered around the same time, and had never been logged in to.

So please re-register if you are a genuine user.

Cheers

BuzzTweet

In this part I will be covering the concepts of secured shared hosting, and why you as a shared hosting provider should be taking steps to ensure this is how you deploy your hosting environments.

Let’s first take a typical L.A.M.P setup:

PHP Compiled from source as apache module.
mySQL installed from RPM or update package (yum / up2date).
HTTPD installed as RPM or update package (yum / up2date).

Please note at the time of writing if you yum / apt-get / up2date install your PHP package you will have varying results when attempting to compile and install suPHP, as such grab the source code from php.net, and follow this series.

As a shared hosting provider lets say you have 5 clients all hosted from the one server, each client using vsftpd is chrooted() into their home directory, and their ssh access disabled, supposedly secure enough.

Unfortunatly not so, due to the L.A.M.P configuration the ‘apache’ user needs a minimum of read and execute permissions over all the PHP files on the system, why is this a problem?

This is a problem largely due to human nature of the client, your ‘joe bloggs’ client doesn’t care about the technical aspects of web hosting or websites, they just want an easy pretty interface to get their corner of the internet online, downloading something like drupal or joomla.

Now this isn’t a dig at open source CMS, this is an insight into human nature, look at the changelog for any open CMS and you will see ‘security fixes’, unfortunatly all ‘joe bloggs’ cares about is that their website is working, and this is wher things take a turn for the worse.

Joe Bloggs never updates his open CMS platform, meaning any vulnerabilities patched in subsequent releases are still exploitable on his website, worst case scenario that this is an XSSI (Cross Server Script Includes) vulnerbility.

An attacker finds this website and idetifies the security hole, using XSSI to install a PHP interactive shell, giving the attacker SSH like access to the hosting environment, most people at this point think so the attacker has compromise one site … so what we can restore that site from backups and it’s only one site that’s affected, the other 4 users either do not use open CMS or are up to date with all the security patches.

Well that’s where you would be wrong, with the hosting setup outlined above the SSH like PHP shell is now running as the apache user, meaning the attacker can go anywhere and read anything apache can, and with the hosting setup oulined above that mean reading things like datbase connection files, suddenly all the clients on the hosting environment have their websites compromised as the attacker gains mySQL access and starts changing content on thewebsites, despite the fact that the other 4 sites themselves were never exploited.

One clients error just became a cascading exploit on your hosting platform, now make that a more realistic platform say 30 clients on the box, some are online shops, the issue just became a whole lot bigger there is lost revenue due to downtime of the shop sites, and worse still the attacker now has access to any customer details those shops were storing! but it’s not Joe Bloggs that’s accountable it’s YOU as the hosting provider, you can take steps to prevent one exploited site becoming 30, and this web series will tell you host to do it.

coming in part 2:

an introduction to suPHP
compiling php as a cgi binary, and why you need to do so

Tweet

“Please find attached a statement of fees as requested, this will be
posted today.

The accommodation is dealt with by another section and I have passed
your request on to them today.

Kind regards.

Hannah ”

Yes it is a virus the attached .doc.exe file seems to vary daily in it’s choice of virus.

So far it has been:

TROJ_AGENT.ANID
TROJ_ZBOT.WB (No page exists for this variant at the moment)
WORM_SYSTEM.AA

All 3 of which were not detected in the most uptodate pattern from trend, having to instead resort to their CPR release (Controlled Pattern), after emailing these samples to their labs (Another unknown variant was received today, and sent to Trend labs).

This brings into question the validity of “Honey pot” accounts to catch these viruses, the only reason I am able to attain these “samples” before they become a problem is due to the fact I have a “Honey pot” email account with a generic often spammed address format for this purpose.

This is making “Honey pots” more of a NEED now instead of an “Über Techies” box of tricks the end user is afraid to go within 30 meters of.

If you run a windows based network I suggest you do some research into how to setup a good honey pot (DO not use an account on your exchnage server that would be REALY stupid), you can also post a comment or use the contact for for advice.

Once setup make it part of your daily routine to test samples as they some in against your anti virus solution, making sure you know how to send samples to the providers labs for analysis.Tweet

On top of that in the case I am currently working on it has set the local machines GPO to hide the “Desktop” tab in the desktop properties.

The idea behind this is shock fraud, upon running the program it will tell you the computer is infected with thousands of malware and viruses, which wont show up on any other anti virus product, leaving you with supposedly one option … to PAY for their software …

Yeh like hell …

Fortunately the guys over at bleepingcomputer.com are on top of things, and provide removal instructions for this fraudulent software.

http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

I’ll be intrested to see if their removal tool resets the GPO.

UPDATE: Make sure after installing the malwarebytes’ software that you first run an update before scanning.

As mentioned in the bleeping computer article, if your antvirus let this program in, in the first place it may be worth purchasing the pro version of Malwarebytes’ to get the real time protection (NOTE: The freeware version will remove Antivirus XP 2008 regardless).

You can do this via with of the following links:

Saiweb Affiliate Link

Bleepingcomputer.com Affiliate Link

UPDATE 2: Malwarebytes’ removed Antivirus XP 2008, and restored the “display” tab, under desktop properties.

*** DISCLAIMER ***

As sad as it is, I have to include the following statement:

This information is provided as a self help guide only, by following the instructions provided you do so at your own risk.Tweet

Trend Micro Page

After all the problems I had with Cryp-TAP-2 (here) I’m going strait for the COMBOFIX option! I’ll update with how I get on.

UPDATE: Everything looks good so far, booted into safe mode, and ran combofix, the system is now rebooting normally, now waiting on the log report.

UPDATE2: Combofix did the job YET again! getting a popup or too still about the system restore volume, from the look of the report this little bugger hooks itself into system processes (explorer.exe svchost.exe)

Tweet

Chroot’ing a user is always a good idea from a security perspective, but by default it leaves usability lacking.

For example a web development department quite rightly is using individual logins, with each developer able to access each of their site directories, in a non chroot environment.

The downside? the can also browse pretty much the entire server, and each others directories …

So rather than some extensive and long winded chmoding or directories, we need to chroot them and still preserve access to the shared directories …

But how?

In this case the shared resource will be /home/shared

First of all for security and chrooting purposes make the following changes to /etc/vsftpd/vsftpd.conf

Now reload vsftpd: /etc/init.d/vsftpd

Create a test user (in this case buzz):

Remove the user’s shell access (and subsequently sftp/scp) by editing /etc/pass wd (remove the space between pass wd, wordpress is breaking when I try to post it properly)

replace

with

Test the FTP session:

In the example above www is a symlink to /home/shared, as can be seen symlinking does not bypass the chroot settings.

What you need to do is use the “bind” option of the mount command (as root or a sudo’er):

NOTE: –bind is double dash bind
NOTE: to reverse the bind (i.e. if you bind the wrong folder) umount /path/to/binded/folder

Now re-test the ftp session:

The user now is in a chroot’ed environment, but can still access the share resources you specify, by binding them.

FAQ:

Why remove the users SSH / SCP access?

SCP/SFTP at the time of writing has no logging facility, making it next to impossible to find out who uploaded / overwrote a file in the shared resource at any given time.

(UPDATE 19/07/2010: http://www.saiweb.co.uk/linux/enable-logging-in-the-sftp-subsystem)

By forcing FTP all transactions will appear in the xfer log.

There are mods for SCP out there to allow logging, however you can use them at your own risk I do not recommend using them on a customer facing environment.

Why would I want to “chroot” the user?

Change

to

and reload vsftpd, now login to ftp hand try to get out of your home directory,

you will notice you can pretty much browse the entire file system, and depending on the setup write and delete files owned by anyone in the same group as that user.

By chroot’ing the user you are reducing the potential for things to go wrong on your server, as you add more and more users it reduces the “sys admin” time incurred due to user error.

NOTE: Remember to put

back and reload vsftpd!

Disclaimer:

You break it, it’s not my fault!

If you run into problems just leave a comment.

Tweet